Method, system, and apparatus for security assurance, protection, monitoring and analysis of integrated circuits and electronic systems using machine learning instruments and machine learning analysis
A method and system for analysis of a facility may include providing an emulation host system, generating a pristine circuit model on the emulation host system, inserting a first hardware trojan model, emulating operation of the golden circuit model, and emulating operation of the first hardware trojan model, and determine a set of machine-learning models, detecting the presence of an unknown trojan as a function of the set of machine learning models.
This application is related to U.S. Provisional Patent Application Ser. No. 63/056,349, filed 24 Jul. 2020, entitled Method and Apparatus for Using Embedded Instruments to Facilitate Machine Learning for Trojan Detection, Mitigation, and Elimination (the “Parent Provisional Application”).
This application claims priority to the Parent Application and hereby claims benefit of the filing dates thereof pursuant to 37 CFR § 1.78(a)(4).
The subject matter of the Parent Application is expressly incorporated herein by reference.
STATEMENT REGARDING FEDERALLY SPONSORED RESEARCH OR DEVELOPMENTThis invention was made with government support under N00178-17-C-1318 and N68335-19-C-0259 awarded by the Small Business Innovation Research (“SIBR”). The government has certain rights in the invention.
FIELD OF THE INVENTIONThe disclosure relates to integrated circuits, integrated circuit security and electronic systems emulation. More specifically, the present invention relates to the collection of data from integrated circuits and/or electronic systems that may contain inherent malicious content known as Trojans where that collected data may be analyzed and resolved using computer based or neural-network based machine learning (“ML”) techniques.
BACKGROUND OF THE INVENTIONIn general, in the descriptions that follow, the first occurrence of each special term of art that should be familiar to those skilled in the art of integrated circuits (“ICs”) and systems will be italicized. In addition, when a term that may be new or that may be used in a context that may be new, that term will be set forth in bold and at least one appropriate definition for that term will be provided. In addition, throughout this description, the terms assert and negate may be used when referring to the rendering of a signal, signal flag, status bit, or similar apparatus into its logically true or logically false state, respectively, and the term toggle to indicate the logical inversion of a signal from one logical state to the other. Alternatively, the mutually exclusive Boolean states may be referred to as logic_0 and logic_1. Of course, as is well known, consistent system operation can be obtained by reversing the logic sense of all such signals, such that signals described herein as logically true become logically false and vice versa. Furthermore, it is of no relevance in such systems which specific voltage levels are selected to represent each of the logic states.
Hereinafter, reference to a facility shall mean a circuit or an associated set of circuits adapted to perform a particular function regardless of the physical layout of an embodiment thereof. Thus, the electronic elements comprising a given facility may be instantiated in the form of a hard macro adapted to be placed as a physically contiguous module, or in the form of a soft macro the elements of which may be distributed in any appropriate way that meets speed path requirements. In general, electronic systems comprise many different types of facilities, each adapted to perform specific functions in accordance with the intended capabilities of each system. Depending on the intended system application, the several facilities comprising the hardware platform may be integrated onto a single IC, or distributed across multiple ICs. Depending on cost and other known considerations, the electronic components, including the facility-instantiating IC(s), may be embodied in one or more single- or multi-chip packages. However, unless expressly stated to the contrary, the form of instantiation of any facility shall be considered as being purely a matter of design choice.
Electronic systems and facilities including circuits such as integrated circuits, chips, circuit boards, electronic devices, and components thereof, are subject to attacks and intrusions from malicious content or hardware trojans (hereinafter, collectively “hardware trojans”). As used herein, the term “hardware trojan” includes inherent malicious content or elements that may be included in a facility, and that may be exploited. For clarity, hardware trojans, as referenced herein, are to be distinguished from software trojans and related malicious software.
Hardware trojans, for example, may intend to function to break or prevent normal operation, allow unauthorized taking over or locking, steal data, steal circuit structure, degrade the hardware, degrade circuit operations, or inject errors into data being processed. A non-exhaustive listing of labels or references for hardware trojans includes, without limitation, the following: “denial of service” (DoS) indicating preventing the integrated circuit from conducting its normal function for some period of time; “ransomware” indicating the taking over or locking of an integrated circuit until a payment is extracted; “data theft” indicating that critical information stored or processed within the integrated circuit has been exfiltrated (such as, for example, customer information, account numbers and account passwords that can be used for identity theft and to access financial accounts); “structure theft” indicating that design or operation information concerning the electronic system or facility thereof has been exposed to enable reverse-engineering or counterfeiting; and “destructive operation” indicating that a facility or electronic system may be operated in such a manner as to provide physical damage (for example, operating built-in self-test logic (BIST) until a facility goes into thermal overload and physically melts).
The capability to allow these types of attacks stems from inadvertent or intentionally malicious content (i.e., “hardware trojans”) included within the facility hardware, such as integrated circuit hardware. Instantiations of malicious content, both inadvertent and intentional, may be labeled or referenced by several names, but may be generally referred to as “security vulnerabilities” or “security exploits” (hereinafter, collectively, “security exploits”). Security exploits may be incorporated within a facility, or within an electronic system including a facility, at any point in design, development, integration, implementation, testing, programming, packaging, and distribution; or at any point in the design-manufacturing-distribution supply chain.
In the age of the internet, the internet-of-things (“IoT”), and ubiquitous home and business electronics, the prevalence of cyberattacks has become a key concern of many owners and users of those electronics. Many attacks source from, and make use of, the connection to the internet. Often overlooked, however, are the hardware trojans hidden, and embedded, and/or built right into the electronic hardware, i.e., trojan attacks. A trojan attack is the inclusion of hardware trojans within an electronic device. The trojan attack becomes realized when the trojan is activated and delivers its designated payload or takes its designated action. Trojans may be “always on” or may be triggered or activated by an event.
Modern electronic systems are used ubiquitously within many different industries and segments of society. A disaggregated supply chain, of which many elements reside within foreign countries that are not aligned with the interests of the United States, results in many opportunities to add nefarious content to the semiconductors and electronics that go into those ubiquitous products and systems. Of particular concern are electronics that are in critical safety and infrastructure systems and may have a questionable root of trust—military/government electronic systems, automotive or avionic systems, medical systems and infrastructure systems such as the power grid, water and wastewater processing and traffic control systems. Embedded Trojans and counterfeit electronics provide back door access and event-based triggers that can result in an impact to the mission mode through the disabling, take-over, degradation and corruption of those electronic devices and systems; or can result in the insertion of malware or an attack on the reputation or the reverse engineering of devices or systems through infiltration or exfiltration of code, states, data or structure.
When systems are assembled and delivered as products, both the provider of the electronic system and the user of the electronic system are concerned that the electronics represent what was intended. The technical field involving the verification of the electronics is known as Hardware Assurance. For example, the question can be asked of the silicon returned from a manufacturing foundry—“Is the silicon device I am receiving back from manufacturing, in fact, a match to what I sent to be manufactured?” There are many forms of verification of hardware assurance, most involving test, debug, or yield-analysis. For example, the application of functional or structural vectors to verify that the device commits all of the actions outlined in the device specification or that the truth tables of gates and connections of wire routes all match the physical layout model. However, a Trojan can be viewed as a “defect, fault or error installed by a human intelligence as opposed to an imperfect design, development or manufacturing process”. The human intelligence part is generally applied to add a level of stealth (to hide the Trojan) so that the change or modification that produces the Trojan and its trigger will not easily be found by the normal test, debug and yield-analysis processes. To this end, the Hardware Assurance process, with reference to hardware Trojans and counterfeit devices, requires extended analyses and techniques above and beyond the normal device test, characterization and verification processes.
Several of the applicants have developed certain improvements for use in the cybersecurity systems, which improvements are fully described in the following pending applications or issued patents, all of which are expressly incorporated herein in their entirety:
“Method, System and Apparatus for Security Assurance, Protection, Monitoring and analysis of Integrated Circuits and Electronic Systems in Relation to Hardware trojans”, application Ser. No. 16/145,891, filed 28 Sep. 2018;
“Method, System and Apparatus for Security Assurance, Protection, Monitoring and analysis of Integrated Circuits and Electronic Systems in Relation to Hardware trojans”, application Ser. No. 16/450,336, filed 24 Jun. 2019;
“Method and System for Selection of Location for Placement of Trojans, Triggers and Instruments within Integrated Circuits and Electronic Systems using Contributory Operation Analysis”, application Ser. No. 16/732,236, filed 31 Dec. 2019; and
“Method and System for Selection of Location for Placement of Trojans, Triggers and Instruments within Integrated Circuits and Electronic Systems using Weighted Controllability and Observability Analysis”, application Ser. No. 16/775,658, filed 29 Jan. 2020.
One method (described in previous patent disclosure) involves the use of Trojan detection instruments that can detect either the existence or operation of the activation trigger or the payload delivered by the Trojan. These are commonly known as binary instrument or detection-only monitor in that they reside in the circuit and do nothing until they detect the activity or behavior related to the activating trigger or the Trojan payload. In some cases, these instruments can then be incorporated into the manufactured design and can be used during test, verification, characterization and yield-analysis to increase the likelihood of detecting the malfeasant modifications during the normal hardware assurance process. In other cases, the monitors remain active within the device during mission mode and can provide an indicator if a detection event is positive. However, the problem with binary detection is that any given device can have tens to hundreds to thousands to even millions of potential Trojans and many of these binary monitors can only be used to detect one attack, therefore, the overhead of binary monitors could be as many as “all the possible Trojan attacks that can be predicted to be installed.” This is not a very efficient system.
A previous patent disclosure also described the use of embedded instruments in conjunction with the programming of the Golden Model into an FPGA to conduct emulation, and using a trigger and Trojan insertion process to actually study the physical effect of an activating trigger and the Trojan payload. This type of evaluation also allows the analog, parametric and side-channel effects of an activating trigger and a Trojan payload to be investigated (which is often times more insightful than just conducting a digital simulation). The programmable FPGA-based emulation provides a sandboxed environment to safely study activating triggers and Trojan payloads and can produce results that are more in line with real-time operation (as opposed to the extreme slowness involved with digital simulation).
This method can provide some brute force methods of tracing the Trojan payload effects and determining where to put the detection monitors. For example, if a secret code is embedded within the device and is processed by a logical unit, and a nefarious individual attached an extra wire from the code processing unit to an unused output port, then when triggered, the unused output port can “leak” or “exfiltrate” the data through the unused port. Understanding which port, what type of protocol the port uses, and the nature of the “leaking data” can identify what type of instrument to place either at the port or along the path to the port. Trojans can be evaluated for their “importance” and pathways can be evaluated for the “best locations” to detect multiple Trojans with one instrument. However, even with this system in place, the analysis time may be a “schedule impact” during the design of the semiconductor device as many possible Trojans may need to be inserted and operated and evaluated and then instruments can be inserted into the design and evaluated as to their efficacy.
A system is needed that more automates this selection and evaluation of instruments and the production of results so the monitors and instruments can be included within the device during the design process; and instrument that are more efficient than “one per potential Trojan” can be developed and used to minimize schedule impact and the area, power, timing and other physical cost factors involved with adding cybersecurity evaluation elements to the semiconductor or electronic device.
For reasons stated above and for other reasons which will become apparent to those skilled in the art upon reading and understanding the present specification, there is a need in the art for improved methods, systems, and apparatus for security assurance, protection, monitoring and analysis of facilities and electronic systems including circuits, such as integrated circuits, in relation to hardware trojans.
BRIEF DESCRIPTION OF THE INVENTIONThe above-mentioned shortcomings, disadvantages and problems are addressed herein, as will be understood by those skilled in the art upon reading and studying the following specification. This summary is provided to introduce a selection of concepts in simplified form that are further described below in more detail in the Detailed Description. This summary is not intended to identify key or essential features of the claimed subject matter.
Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs. It will be further understood that terms, such as those defined in commonly used dictionaries, should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and the present disclosure, and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein.
In accordance with an embodiment a method including the steps of operating an electronic facility comprising a machine learning (“ML”) instrument by applying operational vectors, the ML instrument being adapted to store operational data associated with a first functional circuit block, receiving the operational data from the machine learning instrument, the operational data being further characterized as normal operational data, developing a normal signature as a function of the normal operational data, storing said normal signature in a signature database, inserting a first trojan into said electronic facility at a location selected to produce anomalous behavior, operating said electronic facility by applying operational vectors and a first trojan trigger, receiving said operational data from said learning instrument, said operational data being further characterized as infected operational data, developing an infected signature as a function of said infected operational data, storing said infected signature in said signature database; inserting a second trojan into said electronic facility at a location selected to produce anomalous behavior, operating said electronic facility by applying operational vectors and a second trojan trigger receiving said operational data from said learning instrument, said operational data being further characterized as unknown operational data, detecting anomalous behavior of said unknown operational data developing a prediction metric as a function of said unknown operational data, said normal signature, and said infected signature storing said prediction metric in a prediction database.
The disclosed subject matter itself, as well as further objectives, and advantages thereof, will best be illustrated by reference to the following detailed description of embodiments of the device read in conjunction with the accompanying drawings, wherein:
In the drawings, similar elements will be similarly numbered whenever possible. However, this practice is simply for convenience of reference and to avoid unnecessary proliferation of numbers, and is not intended to imply or suggest that our invention requires identity in either function or structure in the several embodiments.
DETAILED DESCRIPTION OF THE INVENTIONIn this detailed description, reference is made to the accompanying drawings which form a part hereof, and in which is shown by way of illustration specific embodiments which may be practiced. These embodiments are described in sufficient detail to enable those skilled in the art to practice the embodiments and disclosure. It is to be understood that other embodiments may be utilized, and that logical, mechanical, electrical, and other changes may be made without departing from the scope of the embodiments and disclosure. In view of the foregoing, the following detailed description is not to be taken as limiting the scope of the embodiments or disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting. As used herein, the singular forms “a”, “an”, and “the” are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms “comprises” and/or “comprising” or “includes” and/or “including” when used in this specification, specify the presence of stated features, regions, integers, steps, operations, elements, and/or components, but do not preclude the presence or addition of one or more other features, regions, integers, steps, operations, elements, components, and/or groups thereof.
It will be appreciated that for simplicity and clarity of illustration, where considered appropriate, reference numerals may be repeated among the figures to indicate corresponding or analogous elements. In addition, numerous specific details are set forth in order to provide a thorough understanding of the implementations described herein. However, it will be understood by those of ordinary skill in the art that the implementations described herein may be practiced without these specific details. In other instances, well-known methods, procedures and components have not been described in detail so as not to obscure the implementations described herein. Also, the description is not to be considered as limiting the scope of the implementations described herein.
The detailed description set forth herein in connection with the appended drawings is intended as a description of exemplary embodiments in which the presently disclosed apparatus and system can be practiced. The term “exemplary” used throughout this description means “serving as an example, instance, or illustration,” and should not necessarily be construed as preferred or advantageous over other embodiments.
ML instruments 132[a-d] may be better understood by referring to the exemplary ML instrument 200 of
There are three fundamental canonical attacks that may be performed by various trojans: (i) a behavior modification attack, where the hardware trojan seeks to alter how the device operates; (ii) a leaker attack; where the hardware trojan seeks to infiltrate or exfiltrate information; and (iii) a reliability impact attack, where the hardware trojan seeks to reduce the lifetime of the system, i.e., electronic facility 100. Each of these may be further broken down in to specific types. By way of example, a behavior modification attack may be a kill-switch or denial-of-service attack that seeks to prevent an important mission mode feature of the system. A behavior modification attack may be a take-over attack that allows an alternate master to control the device or mission mode feature. A behavior modification attack may be an alternate-operation attack that substitutes an alternate feature for an important mission mode feature. Other forms of behavior modification attacks, leaker attacks, and reliability impact attacks are contemplated and would be understood by one of ordinary skill. Referring back to
The now infected electronic facility 100 may be operated by applying operational vectors to electronic facility 100 to exercise all fundamental operations and applying triggering vectors to operate hardware trojan 602 using register transfer language (“RTL”) models that are of known quality and ML instruments may be instantiated within electronic facility 100 to capture data associated with the operations of the infected model, i.e., with hardware trojans. (see,
The now infected electronic facility 100 may be operated by applying operational vectors to electronic facility 100 to exercise all fundamental operations and applying triggering vectors to operate hardware trojan 802 using register transfer language (“RTL”) models that are of known quality and ML instruments may be instantiated within electronic facility 100 to capture data associated with the operations of the infected model, i.e., with hardware trojans. (see,
Detecting and identifying known trojans as well as detecting and classifying previously unknown trojans in electronic facility 100 requires application of machine learning algorithms to the data collected from the hardware as illustrated in the training data production process 300 of
The goal of trojan detection model is to differentiate between normal and anomalous behavior in the hardware. For trojan detection we have selected a novelty detection approach. Novelty detection is a form of semi-supervised machine learning that is used for anomaly detection, wherein the training data is not polluted by outliers and we are interested in detecting whether a new observation is an outlier. For novelty detection, algorithms such as robust covariance, local outlier factor, and isolation forest are used with the normal dataset and the T1 and T2 datasets to maximize the space between datasets during training. If an observation is determined to be anomalous by the detection model, then it is passed to the trojan identification model. The goal of the identification model is to classify the observation as belonging to, or being analogous to, one of a set of known trojan behaviors. For the identification, algorithms that assign new observations to previously defined cohorts based on similar attributes are used, e.g., random forest, logistic regression, and neural network.
The now infected electronic facility 100 may be operated by applying operational vectors to electronic facility 100 to exercise all fundamental operations and applying triggering vectors to operate hardware trojan 1102 using register transfer language (“RTL”) models that are of known quality. As before, ML instruments may be instantiated within electronic facility 100 to capture data associated with the operations of the infected model, i.e., with unknown hardware trojan 1102. (see,
The U.S. Global Positioning System (“GPS”) is part of a network of global navigation satellite systems (“GNSS”) and its signals are vulnerable to attack. GPS spoofing is an attack in which a radio transmitter located near the target is used to interfere with a legitimate GPS signal. The attacker could transmit no data at all, or could transmit inaccurate coordinates. GPS/GNSS is also used for accurate timing and attackers can interfere with that function as well. These types of attacks can be accomplished using inexpensive, commercially available, and portable software-defined radios running open source software. In the most common example, an attacker may position a broadcast antenna pointed toward a target's GPS receiver antenna, thus interfering with GPS signals of nearby buildings, ships, automobiles, or aircraft. GPS spoofing may also be deployed via drones or carried onto an airplane by a passenger. GPS spoofing has been reported globally with incidents involving maritime navigation issues, aeronautical navigation issues, and even automobile navigation issues. Various means of detecting GPS spoofing have been proposed, including cryptographic methods, distortion detection, and direction-of-arrival sensing. The detection and identification methods described herein are useful in detecting and identifying known and unknown hardware trojans. These methods are also useful as a means for detecting GPS spoofing, i.e., evaluating and authenticating the integrity of the GPS signal.
Apparatus, methods and systems according to embodiments of the disclosure are described. Although specific embodiments are illustrated and described herein, it will be appreciated by those of ordinary skill in the art that any arrangement which is calculated to achieve the same purposes can be substituted for the specific embodiments shown. This application is intended to cover any adaptations or variations of the embodiments and disclosure. For example, although described in terminology and terms common to the field of art, exemplary embodiments, systems, methods and apparatus described herein, one of ordinary skill in the art will appreciate that implementations can be made for other fields of art, systems, apparatus or methods that provide the required functions. The invention should therefore not be limited by the above described embodiment, method, and examples, but by all embodiments and methods within the scope and spirit of the invention.
In particular, one of ordinary skill in the art will readily appreciate that the names of the methods and apparatus are not intended to limit embodiments or the disclosure. Furthermore, additional methods, steps, and apparatus can be added to the components, functions can be rearranged among the components, and new components to correspond to future enhancements and physical devices used in embodiments can be introduced without departing from the scope of embodiments and the disclosure. One of skill in the art will readily recognize that embodiments are applicable to future systems, future apparatus, future methods, and different materials.
All methods described herein can be performed in a suitable order unless otherwise indicated herein or otherwise clearly contradicted by context. The use of any and all examples, or exemplary language (e.g., “such as”), is intended merely to better illustrate the disclosure and does not pose a limitation on the scope of the disclosure unless otherwise claimed. No language in the specification should be construed as indicating any non-claimed element as essential to the practice of the disclosure as used herein.
Terminology used in the present disclosure is intended to include all environments and alternate technologies that provide the same functionality described herein.
Claims
1. A method comprising the steps of:
- operating an electronic facility comprising a ML instrument by applying operational vectors, said ML instrument being adapted to store operational data associated with a first functional circuit block;
- receiving said operational data from said machine learning instrument, said operational data being further characterized as normal operational data;
- developing a normal signature as a function of said normal operational data;
- storing said normal signature in a signature database;
- inserting a first trojan into said electronic facility at a location selected to produce anomalous behavior;
- operating said electronic facility by applying operational vectors and a first trojan trigger;
- receiving said operational data from said learning instrument, said operational data being further characterized as infected operational data;
- developing an infected signature as a function of said infected operational data;
- storing said infected signature in said signature database;
- inserting a second trojan into said electronic facility at a location selected to produce anomalous behavior;
- operating said electronic facility by applying operational vectors and a second trojan trigger;
- receiving said operational data from said learning instrument, said operational data being further characterized as unknown operational data;
- detecting anomalous behavior of said unknown operational data;
- developing a prediction metric as a function of said unknown operational data, said normal signature, and said infected signature;
- storing said prediction metric in a prediction database.
2. The method of claim 1 wherein said normal operational data and the infected operational data are further characterized as comprising at least one of temperature, voltage, power consumption, supply voltage variation, ground voltage variation, and timing degradation.
3. The method of claim 1 wherein said normal operational data is further characterized as comprising XML variables.
4. The method of claim 1 wherein said normal operational data is further characterized as comprising a time tag.
5. The method of claim 1 wherein said normal operational data is further characterized as comprising a location tag.
6. A method comprising the steps of:
- operating an electronic facility in an emulator system;
- embedding a plurality of ML instruments into said electronic facility to form an instrumented pristine model
- collecting normal operational data;
- developing a normal signature as a function of said normal operational data;
- storing said normal signature in a signature database;
- inserting a first trojan into said electronic facility at a location selected to produce anomalous behavior;
- operating said electronic facility;
- collecting infected operational data;
- developing an infected signature as a function of said infected operational data;
- storing said infected operational signature in a signature database.
7. The method of claim 6 wherein said normal operational data and the infected operational data are further characterized as comprising at least one of temperature, voltage, power consumption, supply voltage variation, ground voltage variation, and timing degradation.
8. The method of claim 6 wherein said normal operational data is further characterized as comprising XML variables.
9. The method of claim 6 wherein said normal operational data is further characterized as comprising a time tag.
10. The method of claim 6 wherein said normal operational data is further characterized as comprising a location tag.
20200327237 | October 15, 2020 | Shakarian |
Type: Grant
Filed: Dec 27, 2020
Date of Patent: Aug 22, 2023
Patent Publication Number: 20220030013
Inventors: Alfred Larry Crouch (Cedar Park, TX), Peter Lawrence Levin (Silver Springs, MD), John David Akin (Plano, TX), Adam Wade Ley (Allen, TX), Matthew McKinnon Ritonia (Arlington, VA), Wesley Layton Ellington (Dallas, TX), Maria Anne Spasojevic (Palo Alto, CA)
Primary Examiner: Cai Y Chen
Application Number: 17/134,438
International Classification: H04L 9/40 (20220101); G06N 5/04 (20230101); G06F 16/23 (20190101); G06N 20/00 (20190101); G01S 19/23 (20100101); G01S 19/42 (20100101);